Security procedure

ABSTRACT

According to an example aspect of the present invention, there is provided an apparatus comprising at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to establish information to be provided to a base station device, before activation of a first encryption scheme, cause transmission of the information, in a form encrypted using a second encryption scheme, to the base station device, and begin, after causing the transmission of the information, using the first encryption scheme in communication between the apparatus and the base station device

FIELD

The present invention relates to data encryption in a communicationsystem.

BACKGROUND

In communication networks, which may comprise wireless and/or wirednetworks, user equipments may have different modes with respect to thenetwork. For example, in cellular wireless networks, a user equipmentmay find itself in an idle more or a connected mode.

Idle mode is characterized by a presence of a generic rough locationknowledge of the user equipment, which may be referred to as a UEcontext, and/or an absence of an active communication context betweenthe user equipment and the network. The user equipment may be paged bythe network, and the network may be arranged to keep track of thewhereabouts of the user equipment. Similarly, the user equipment mayinvoke a connection establishment process to activate a communicationcontext with the network. An idle mode user equipment may conduct cellre-selection measurements, for example.

Connected mode, on the other hand, may be characterized by morecell-level knowledge of user location and/or presence of an activecommunication context between the user equipment and the network.Information communicated over such an active communication context maybe encrypted, or ciphered, to protect its security while in transit. Anactive communication context may comprise a protocol structure with aplurality of layers, such that layers are encapsulated in each other, toenable maintenance of the overall connection at different networkstages. For example, a physical layer may connect a wireless terminal toa base station or access point, and convey all higher layers as payloadof the physical layer. Such higher layers may comprise, for example atransport layer and an application layer conveying as payloadinformation a user may be presented with.

In some technologies, when the user equipment, UE, connects to thenetwork for the very first time, it is neither in idle nor in connectedmode. The first connection is then used to register the UE via aninitial attachment procedure to the network, so that it becomes aware ofthe rough location of the user equipment even when it doesn't have anactive communication context present. After the initial connection, theuser equipment is provided information it needs to connect to thenetwork in subsequent connection attempts, and the network is providedinformation about a user identity for the subsequent connectionattempts. Hence, after the initial attachment, the user equipment canoperate in idle and connected mode and the network has a stored UEcontext.

In connection with a connection establishment procedure, the connectionis established and encryption is activated. In order for encryption towork, participating entities must support the same encryption algorithmsand modalities, such that data encrypted by a transmitter may bedecrypted by a recipient. Decrypting is a term used when referring toreversing, or undoing, an encrypting operation. For example, anencrypting operation obtains a ciphertext from a plaintext, anddecryption then obtains the original plaintext from the ciphertext.

Encryption may be activated by the network by transmitting a securitycommand to the user equipment. An example of a security command is theSecurityModeCommand of long term evolution, LTE.

SUMMARY OF THE INVENTION

The invention is defined by the features of the independent claims. Somespecific embodiments are defined in the dependent claims.

According to a first aspect of the present invention, there is providedan apparatus comprising a memory configured to store information, atleast one processing core configured to receive the information, inencrypted form using a second encryption scheme, from a user equipment,in the apparatus, before activation of a first encryption scheme, obtainan unencrypted form of the information, and use the unencrypted form ofthe information to provide service to the user equipment before or afterthe first encryption scheme is activated.

Various embodiments of the first aspect may comprise at least onefeature from the following bulleted list:

-   -   the apparatus is configured to process a triggering of the        activation of the first encryption scheme during a connection        establishment procedure    -   the apparatus is configured to obtain the unencrypted form of        the information via a core network    -   apparatus is configured to obtain the unencrypted form of the        information at least partly by requesting an unencryption key        from a core network    -   the first encryption scheme comprises an access stratum AS        encryption scheme    -   the second encryption scheme comprises a non-access stratum,        NAS, encryption scheme relating to the user equipment    -   the apparatus is configured to obtain the unencrypted form of        the information by providing the encrypted form of the        information to a mobility management entity, and by receiving        the unencrypted form of the information from the mobility        management entity    -   the second encryption scheme comprises an encryption scheme        pre-negotiated between the core network and the user equipment    -   the apparatus is configured to receive an encryption key from a        core network, and to decrypt the information to thereby obtain        the unencrypted form    -   the information comprises at least one of secondary cell        measurement results and a secondary cell configuration requested        by the user equipment    -   the at least one processing core is configured to cause        transmission of a security command comprising an instruction to        trigger activation of the first encryption scheme between the        user equipment and a network    -   the apparatus is comprised in a base station device.

According to a second aspect of the present invention, there is providedan apparatus comprising at least one processing core, at least onememory including computer program code, the at least one memory and thecomputer program code being configured to, with the at least oneprocessing core, cause the apparatus at least to establish informationto be provided to a base station device, before activation of a firstencryption scheme, cause transmission of the information, in a formencrypted using a second encryption scheme, to the base station device,and begin, after causing the transmission of the information, using thefirst encryption scheme in communication between the apparatus and thebase station device.

Various embodiments of the second aspect may comprise at least onefeature from the following bulleted list:

-   -   information comprises at least one of secondary cell measurement        results and a desired secondary cell configuration    -   the apparatus is configured to begin using the first encryption        scheme responsive to a security command communicated with the        base station device, the security command including an        instruction to activate the first encryption scheme    -   the apparatus is configured to cause the transmission of the        information in connection with a connection establishment        process    -   the apparatus is configured to cause the transmission of the        information in a non access stratum container.

According to a third aspect of the present invention, there is providedan apparatus comprising at least one processing core, at least onememory including computer program code, the at least one memory and thecomputer program code being configured to, with the at least oneprocessing core, cause the apparatus at least to receive an initial UEmessage from a base station device, perform a cryptographic operation asa response to the initial UE message, and cause transmission of aninitial context setup request message as a response to the initial UEmessage, the initial context setup request message comprising an outputof the cryptographic operation.

Various embodiments of the third aspect may comprise at least onefeature from the following bulleted list:

-   -   the cryptographic operation comprises decryption of information        present in the initial UE message, and the output of the        cryptographic operation comprises decrypted information    -   the cryptographic operation comprises derivation of an        encryption key, and the output of the cryptographic operation        comprises the encryption key, the encryption key being distinct        from K_(eNB).

According to a fourth aspect of the present invention, there is provideda method comprising storing information in an apparatus, receiving theinformation, in encrypted form using a second encryption scheme, from auser equipment, in the apparatus, before activation of a firstencryption scheme, obtaining an unencrypted form of the information, andusing the unencrypted form of the information to provide service to theuser equipment before or after the first encryption scheme is activated.

Various embodiments of the fourth aspect may comprise at least onefeature corresponding to a feature from the preceding bulleted list laidout in connection with the first aspect.

According to a fifth aspect of the present invention, there is provideda method, comprising establishing information to be provided to a basestation device, before activation of a first encryption scheme, causingtransmission of the information, in a form encrypted using a secondencryption scheme, to the base station device, and beginning, aftercausing the transmission of the information, using the first encryptionscheme in communication between the apparatus and the base stationdevice.

Various embodiments of the fifth aspect may comprise at least onefeature corresponding to a feature from the preceding bulleted list laidout in connection with the second aspect.

According to a sixth aspect of the present invention, there is provideda method, comprising receiving an initial UE message from a base stationdevice, performing a cryptographic operation as a response to theinitial UE message, and causing transmission of an initial context setuprequest message as a response to the initial UE message, the initialcontext setup request message comprising an output of the cryptographicoperation.

Various embodiments of the sixth aspect may comprise at least onefeature corresponding to a feature from the preceding bulleted list laidout in connection with the third aspect.

According to a seventh aspect of the present invention, there isprovided an apparatus comprising means for storing information in anapparatus, means for receiving the information, in encrypted form usinga second encryption scheme, from a user equipment, in the apparatus,before activation of a first encryption scheme, means for obtaining anunencrypted form of the information, and means for using the unencryptedform of the information to provide service to the user equipment beforeor after the first encryption scheme is activated.

According to an eighth aspect of the present invention, there isprovided an apparatus comprising means for establishing information tobe provided to a base station device, means for causing transmission ofthe information, before activation of a first encryption scheme, in aform encrypted using a second encryption scheme, to the base stationdevice, and means for beginning, after causing the transmission of theinformation, using the first encryption scheme in communication betweenthe apparatus and the base station device.

According to a ninth aspect of the present invention, there is provideda non-transitory computer readable medium having stored thereon a set ofcomputer readable instructions that, when executed by at least oneprocessor, cause an apparatus to at least store information in anapparatus, receive the information, in encrypted form using a secondencryption scheme, from a user equipment, in the apparatus, beforeactivation of a first encryption scheme, obtain an unencrypted form ofthe information, and use the unencrypted form of the information toprovide service to the user equipment before or after the firstencryption scheme is activated.

According to a tenth aspect of the present invention, there is provideda non-transitory computer readable medium having stored thereon a set ofcomputer readable instructions that, when executed by at least oneprocessor, cause an apparatus to at least establish, in an apparatus,information to be provided to a base station device, before activationof a first encryption scheme, cause transmission of the information, ina form encrypted using a second encryption scheme, to the base stationdevice, and begin, after causing the transmission of the information,using the first encryption scheme in communication between the apparatusand the base station device.

According to an eleventh aspect of the present invention, there isprovided a non-transitory computer readable medium having stored thereona set of computer readable instructions that, when executed by at leastone processor, cause an apparatus to at least receive an initial UEmessage from a base station device, perform a cryptographic operation asa response to the initial UE message, and cause transmission of aninitial context setup request message as a response to the initial UEmessage, the initial context setup request message comprising an outputof the cryptographic operation.

According to a twelfth aspect of the present invention, there isprovided a computer program configured to cause a method in accordancewith at least one of the fourth, fifth and sixth aspects to beperformed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example system in accordance with at least someembodiments of the present invention;

FIG. 2 illustrates an example embodiment of early encryption inaccordance with principles of the invention.

FIG. 3 illustrates an example apparatus capable of supporting at leastsome embodiments of the present invention;

FIG. 4 illustrates an example embodiment of early encryption inaccordance with principles of the invention;

FIG. 5 illustrates an example embodiment of early encryption inaccordance with principles of the invention;

FIG. 6 is a flow graph of a method in accordance with at least someembodiments of the present invention;

FIG. 7 is a flow graph of a method in accordance with at least someembodiments of the present invention;

FIG. 8 is an example embodiment in accordance with principles of thepresent invention;

FIG. 9 is an example embodiment in accordance with principles of thepresent invention, and

FIG. 10 is an example embodiment in accordance with principles of thepresent invention.

EMBODIMENTS

When a user equipment, UE, moves from RRC IDLE to RRC CONNECTED mode thefirst messages between UE and eNB during random access procedure aresent unciphered, these including, for example, RRCConnectionRequestmessage over SRB0 in random access Msg3, RRCConnectionSetup message fromeNB to UE over SRB0 in random access Msg4 and RRCConnectionSetupCompletefrom UE to eNB over SRB1 in random access Msg5. The lack of security isnatural for the very first message, for example RRCConnectionRequest,since at this initial phase eNB does not know which UE it iscommunicating with. RRCConnectionSetup message is already sent to asingle UE and could in principle be encrypted. The same applies toRRCConnectionSetupComplete message from UE to eNB, it could also beencrypted. However, in current LTE systems encryption is turned on afterSecurityModeCommand which is sent to UE after eNB has communicated withMME and received the keys.

Since the initial messages are unciphered, they cannot contain anycritical information that would reveal, for example, either the UElocation or other UE-specific information that may be used maliciously.UE may have some useful information that could be used by the eNBalready in the first RRC reconfiguration after the initial connectionsetup, but in the current LTE system, security between UE and eNB has tobe setup first and only after that the information can be requested fromthe UE. And only after receiving the additional information from the UE,eNB can perform another RRC reconfiguration taking that information intoaccount.

In this invention we propose new security mechanisms such that UE couldsend relevant information encrypted to eNB in an earlier phase such thatthe eNB can take the UE information into use already in the first RRCreconfiguration after security mode command, for example.

Transmitting information in encrypted form from a user equipment to abase station already before activation of communication contextencryption, or ciphering, may provide benefits, such as a reduced delaybefore the base station can act on the received information. Bycommunication context encryption, or context encryption, it is meantencryption employed in encrypting information transmitted in thecommunication context of a connected state, that is, for example, thecommunication context that is present as a prerequisite for connectedstate. It is also sometimes called access stratum, AS, encryption orsecurity. Certain information types are not suitable for transmission inunencrypted format, wherefore at least some embodiments of the inventionprovide for early transmission of information in encrypted form. Indetail, a non-access stratum, NAS, container and security may be used,or a dedicated early encryption key may be derived for use in connectionestablishment prior to activation of the communication contextencryption. Advantageously, for example, the base station may at leastreceive information from the user equipment and potentially alsoreconfigure a connection with the user equipment, using the information,already before communication context encryption is active.

By NAS it is meant a functional layer in a protocol stack, the layerbeing arranged between a UE and a core network. This layer may be usedto manage establishments of communication sessions and/or maintainingcontinuous connectivity with a UE as it moves, for example. In an LTEsystem, once a UE has performed an initial attach procedure with thenetwork, it has a UE context stored within the mobility managemententity, MME.

FIG. 1 illustrates an example system in accordance with at least someembodiments of the present invention. The system comprises a userequipment, UE, 110, which may comprise a smartphone, mobile phone,tablet computer, laptop computer, desktop computer or indeed anotherkind of suitable device. UE 110 is in wireless communication with a basestation 120, via wireless link 112. Base station is a term employedfrequently when discussing radio nodes in cellular communicationsystems, however in the context of the present document it should beappreciated that also non-cellular systems are envisaged to benefit fromembodiments of the present invention, and are not to be excluded by thisterminological choice. Access point is a term often employed whendiscussing non-cellular radio nodes.

Base station 120, wireless link 112 and UE 110 are arranged to operatein accordance with a communication standard, to thereby obtaininteroperability. For example, wideband code division multiple access,WCDMA, and long term evolution, LTE, and 5G are cellular communicationstandards. On the other hand, wireless local area network, WLAN, andworldwide interoperability for microwave access, WiMAX, are examples ofnon-cellular communication standards. While described herein as awireless communication system, other embodiments of the invention may beimplemented as wired communication systems. Wired communicationstandards include Ethernet, for example. In case of a wiredcommunication system link 112 is not wireless but wired.

Base station 120 is coupled, via connection 123, with node 130. Node 130may be comprised as node in a core network or a radio access network,for example. Node 130 may comprise a mobility management entity, MME, orswitch, for example. Connection 123 may comprise a wired connection,wireless connection or a partly wireless connection. Connection 123 maybe used to convey payload traffic between node 130 and base station 120.Node 130 is coupled with gateway 140 via connection 134, and gateway 140is, in turn, coupled with further networks via connection 141.Connections 134 and 141 may comprise wire-line connections, for example.Wire-line connections may comprise Ethernet and/or fibre-opticconnections, for example.

Via base station 120, node 130 and gateway 140, UE 110 may communicatewith correspondent entities, which may be servers on the Internet,telephone endpoints in domestic or foreign locations or, for example,banking services in an corporate extranet.

When transitioning from an idle state to a connected state, UE 110 maytrigger establishment of at least one physical channel over link 112. Indetail, UE 110 may trigger a connection establishment process including,such as, for example, a random access procedure. For example, UE 110 maytransmit a random access preamble to base station 120, which may replywith a random access response. UE 110 may then transmit a connectionrequest to base station 120, an example of a connection request being aRRCConnectionRequest message in accordance with the LTE system.

Once base station 120 has responded to a connection request message, forexample by transmitting a connection setup message, and received aconnection setup complete message from the UE 110, base station 120 mayconsult node 130, or another node, to obtain context informationrelating to UE 110. Node 130 may comprise an MME, for example. Thecontext information may comprise an encryption key to be used incommunication context encryption. An example of a connection setupcomplete message is a RRCConnectionSetupComplete message in accordancewith an LTE system, and an example of a context encryption key isK_(eNB). Other technologies have similar messages and keys.

A security command may be transmitted to UE 110 from base station 120 tocause the context encryption to be activated. A security command maycomprise at least one of the following: information on a cipheringalgorithm to use, information on an integrity algorithm to use and amessage authentication code—integrity, MAC-I, field. A MAC-I field maybe used to ensure message integrity, for example. After the securitycommand is received and acted on in UE 110, encryption of information inthe communication context may be accomplished using the contextencryption. Alternatively, a security command may be known as a securityinstruction.

From the point of view of base station 120, context encryption isactivated when the security command is sent and from the point of viewof UE 110, context encryption is activated when the security command isreceived and processed. Base station 120 may thus trigger the activationof the context encryption, although in some embodiments a triggeringmessage may be transmitted by UE 110.

On the other hand, UE 110 may have information that may be useful toprovide to base station 120 already before context encryption is active.Such information may comprise secondary cell measurement results and/ora secondary cell configuration desired by UE 110, for example. In casesuch information is of a kind that requires encryption, encrypting theinformation would be beneficial, but since context encryption is not yetactive, another encryption may be used. Such information may be used bybase station 120 to provide service to the user equipment, in otherwords, the information may be intended for use in base station 120, andnot merely provided to base station 120 for forwarding for use infurther nodes. Base station 120 may provide service by using theinformation, for example to configure an aspect of UE 110. The anotherencryption, used before context encryption is available, will bereferred to herein as early encryption as it may be employed inconnection with a connection establishment process before contextencryption is used. Early encryption may be used also at other times.

FIG. 2 illustrates an example embodiment of early encryption inaccordance with principles of the invention. On the vertical axes aredisposed, from the left to the right, UE 110, base station 120 and node130. Node 130 may comprise a MME in this embodiment, for example. Timeadvances from the top toward the bottom. The overall process of FIG. 2,like those of FIG. 4 and FIG. 5, is a transition from idle state toconnected, or active, state.

In phase 210, base station 120 may page UE 110. This phase is optional,as the invention is equally applicable to mobile-originatedcommunications. Phase 220 comprises, for example, a random accessprocess to obtain radio resources for communication between UE 110 andbase station 120. Phase 220 may comprise, for example, RRC connectionrequest and setup messages exchanged between UE 110 and base station120, which form part of a RRC connection establishment procedure.

Phase 230 comprises a message transmitted from UE 110 to base station120, the message comprising information intended for use in base station120, the information being in the message in encrypted form. The messageitself may be a RRC connection setup complete message, for example, butin various embodiments the message may go under different names. Themessage of phase 230 is transmitted before context encryption is yetactive between UE 110 and base station 120. The information, inencrypted form, may be in a NAS container, for example. The use of NASencryption provides the early encryption in embodiments in accordancewith FIG. 2. Early encryption is distinct from context encryption.

In phase 240, base station 120 communicates with node 130 in connectionwith the connection establishment procedure. In phase 240, base station120 provides the NAS container it has received in phase 230 to node 130.Node 130 decrypts the NAS container in phase 250, and returns theinformation, in unencrypted form, to base station 120 in phase 260.Further, in phase 260 node 130 may instruct base station 120 concerningthe connection establishment, for example by providing an encryption keyfor use in the context encryption.

Once in receipt of information provided in phase 260, base station mayapply the information that was provided under the early encryption inphase 230. Phase 270 comprises transmission of a security command frombase station 120 to UE 110, the security command being described hereinabove. Phases 280 to 2110 are provided as technological context and aredescribed in light of an LTE system, however in different communicationtechnologies these phases may proceed in differing manners. In detail,phase 280 may comprise a connection reconfiguration, which may comprisean addition of a secondary cell in accordance with the informationcommunicated to base station 120 using the early encryption. Phase 280and phase 270 may be transmitted in a same transport block. Phase 290may comprise a security command response, for example a security modecomplete message, and phase 2100 may comprise a connectionreconfiguration complete message, responsive to completion of areconfiguration instructed in phase 280. Phase 2110 may comprise aninitial context setup response, in response to messaging of phase 260.In general, base station 120 may be configured to reconfigure aconnection with UE 110, using the information provided under the earlyencryption, for example before the context encryption is active.

Phase 2120 comprises communication of data between UE 110 and thenetwork, the information being secured using the context encryptionwhich is active at this point.

FIG. 3 illustrates an example apparatus capable of supporting at leastsome embodiments of the present invention. Illustrated is device 300,which may comprise, for example, a mobile communication device such asUE 110 or, in applicable parts, base station 120 of FIG. 1. Comprised indevice 300 is processor 310, which may comprise, for example, a single-or multi-core processor wherein a single-core processor comprises oneprocessing core and a multi-core processor comprises more than oneprocessing core. Processor 310 may comprise more than one processor. Aprocessing core may comprise, for example, a Cortex-A8 processing coremanufactured by ARM Holdings or a Steamroller processing core producedby Advanced Micro Devices Corporation. Processor 310 may comprise atleast one Qualcomm Snapdragon and/or Intel Atom processor. Processor 310may comprise at least one application-specific integrated circuit, ASIC.Processor 310 may comprise at least one field-programmable gate array,FPGA. Processor 310 may be means for performing method steps in device300. Processor 310 may be configured, at least in part by computerinstructions, to perform actions.

Device 300 may comprise memory 320. Memory 320 may compriserandom-access memory and/or permanent memory. Memory 320 may comprise atleast one RAM chip. Memory 320 may comprise solid-state, magnetic,optical and/or holographic memory, for example. Memory 320 may be atleast in part accessible to processor 310. Memory 320 may be at least inpart comprised in processor 310. Memory 320 may be means for storinginformation. Memory 320 may comprise computer instructions thatprocessor 310 is configured to execute. When computer instructionsconfigured to cause processor 310 to perform certain actions are storedin memory 320, and device 300 overall is configured to run under thedirection of processor 310 using computer instructions from memory 320,processor 310 and/or its at least one processing core may be consideredto be configured to perform said certain actions. Memory 320 may be atleast in part comprised in processor 310. Memory 320 may be at least inpart external to device 300 but accessible to device 300.

Device 300 may comprise a transmitter 330. Device 300 may comprise areceiver 340. Transmitter 330 and receiver 340 may be configured totransmit and receive, respectively, information in accordance with atleast one cellular or non-cellular standard. Transmitter 330 maycomprise more than one transmitter. Receiver 340 may comprise more thanone receiver. Transmitter 330 and/or receiver 340 may be configured tooperate in accordance with global system for mobile communication, GSM,wideband code division multiple access, WCDMA, long term evolution, LTE,IS-95, wireless local area network, WLAN, Ethernet and/or worldwideinteroperability for microwave access, WiMAX, standards, for example.

Device 300 may comprise a near-field communication, NFC, transceiver350. NFC transceiver 350 may support at least one NFC technology, suchas NFC, Bluetooth, Wibree or similar technologies.

Device 300 may comprise user interface, UI, 360. UI 360 may comprise atleast one of a display, a keyboard, a touchscreen, a vibrator arrangedto signal to a user by causing device 300 to vibrate, a speaker and amicrophone. A user may be able to operate device 300 via UI 360, forexample to accept incoming telephone calls, to originate telephone callsor video calls, to browse the Internet, to manage digital files storedin memory 320 or on a cloud accessible via transmitter 330 and receiver340, or via NFC transceiver 350, and/or to play games.

Device 300 may comprise or be arranged to accept a user identity module370. User identity module 370 may comprise, for example, a subscriberidentity module, SIM, card installable in device 300. A user identitymodule 370 may comprise information identifying a subscription of a userof device 300. A user identity module 370 may comprise cryptographicinformation usable to verify the identity of a user of device 300 and/orto facilitate encryption of communicated information and billing of theuser of device 300 for communication effected via device 300.

Processor 310 may be furnished with a transmitter arranged to outputinformation from processor 310, via electrical leads internal to device300, to other devices comprised in device 300. Such a transmitter maycomprise a serial bus transmitter arranged to, for example, outputinformation via at least one electrical lead to memory 320 for storagetherein. Alternatively to a serial bus, the transmitter may comprise aparallel bus transmitter. Likewise processor 310 may comprise a receiverarranged to receive information in processor 310, via electrical leadsinternal to device 300, from other devices comprised in device 300. Sucha receiver may comprise a serial bus receiver arranged to, for example,receive information via at least one electrical lead from receiver 340for processing in processor 310. Alternatively to a serial bus, thereceiver may comprise a parallel bus receiver.

Device 300 may comprise further devices not illustrated in FIG. 3. Forexample, where device 300 comprises a smartphone, it may comprise atleast one digital camera. Some devices 300 may comprise a back-facingcamera and a front-facing camera, wherein the back-facing camera may beintended for digital photography and the front-facing camera for videotelephony. Device 300 may comprise a fingerprint sensor arranged toauthenticate, at least in part, a user of device 300. In someembodiments, device 300 lacks at least one device described above. Forexample, some devices 300 may lack a NFC transceiver 350 and/or useridentity module 370.

Processor 310, memory 320, transmitter 330, receiver 340, NFCtransceiver 350, UI 360 and/or user identity module 370 may beinterconnected by electrical leads internal to device 300 in a multitudeof different ways. For example, each of the aforementioned devices maybe separately connected to a master bus internal to device 300, to allowfor the devices to exchange information. However, as the skilled personwill appreciate, this is only one example and depending on theembodiment various ways of interconnecting at least two of theaforementioned devices may be selected without departing from the scopeof the present invention.

FIG. 4 illustrates an example embodiment of early encryption inaccordance with principles of the invention. On the vertical axes aredisposed, as in FIG. 2, UE 110, base station 120 and node 130.

Phases 410 to 420 correspond to phases 210 and 220 of FIG. 2,respectively.

Phase 430 comprises a message transmitted from UE 110 to base station120, the message comprising information intended for use in base station120, the information being in the message in encrypted form. The messageitself may be a RRC connection setup complete message, for example, butin various embodiments the message may go under different names. Themessage of phase 430 is transmitted before context encryption is yetactive between UE 110 and base station 120. The information, inencrypted form, may be encrypted using an early encryption key. Theearly encryption key may be generated, for example in connection with aninitial attachment of UE 110 with the network. The early encryption keymay be generated using a Diffie-Hellman exchange, for example. The useof the early encryption key provides the early encryption in embodimentsin accordance with FIG. 4 The early encryption key may be established ina NAS layer procedure, for example. Alternatively to a NAS procedure, adefault integrity/ciphering algorithm could be defined and the keyscould be defined without negotiating between UE and MME.

FIGS. 4 and 5 illustrate embodiments where new, temporary, securitywould be defined between the UE and the base station, which in LTE is aneNB. The new early encryption key could be derived, in LTE technology,from K_(ASME) in UE and in MME and MME would provide the key to eNB whenrequested by eNB. eNB would request the early encryption key when itwould receive early-encrypted UE information. Early encryption keyrequest could be added to some existing message(s) over S1, such as, forexample, INITIAL UE MESSAGE, or a new message could be created for it.And the early encryption key could be provided to eNB in some existingmessage, such as, for example, INITIAL CONTEXT SETUP REQUEST where alsoK_(eNB) is provided, or a new message could be defined. eNB could thendecipher the early-encrypted UE information with the early encryptionkey or a key derived from the early encryption key received from MME. Inaddition to early (de)ciphering key, eNB and UE could derive also anearly integrity protection key from the early encryption key. The earlyintegrity key could be used to integrity protect the messages sent bythe UE. The advantage of these alternatives is that information receivedfrom the UE need not be sent to MME for deciphering and returned back tothe eNB for use. In general, a security scheme may comprise an integrityprotection scheme and/or an encryption scheme. An encryption scheme, inturn, may comprise early encryption or context encryption, for example.

In phase 440, base station 120 communicates with node 130 in connectionwith the connection establishment procedure. In phase 440, base station120 requests the early encryption key to be provided to base station120. Node 130 retrieves, generates or re-generates the early encryptionkey in phase 450, and provides it to base station 120 in phase 460.Further, in phase 460 node 130 may instruct base station 120 concerningthe connection establishment, for example by providing an encryption keyfor use in the context encryption. In other words, phase 460 maycomprise node 130 providing two encryption keys to base station 120,namely the key for context encryption and the key for early encryption.

Base station 120 may use the early encryption key to decrypt, in phase470, the information provided by UE 110 in phase 430, to thereby obtainthe information in unencrypted form.

Once in receipt of the information provided in phase 430, in unencryptedform, base station 120 may apply the information that was provided underthe early encryption in phase 430. Phase 480 comprises transmission of asecurity command from base station 120 to UE 110, the security commandbeing described herein above. Phases 490 to 4120 are provided astechnological context and are described in light of an LTE system,however in different communication technologies these phases may proceedin differing manners. In detail, phase 490 may comprise a connectionreconfiguration, which may comprise an addition of a secondary cell inaccordance with the information communicated to base station 120 usingthe early encryption. Phase 490 and phase 480 may be transmitted in asame transport block. Phase 4100 may comprise a security commandresponse, for example a security mode complete message, and phase 4110may comprise a connection reconfiguration complete message, responsiveto completion of a reconfiguration instructed in phase 490. Phase 4120may comprise an initial context setup response, in response to messagingof phase 460, for example. In general, base station 120 may beconfigured to reconfigure a connection with UE 110, using theinformation provided under the early encryption, for example before thecontext encryption is active.

Phase 4130 comprises communication of data between UE 110 and thenetwork, the information being secured using the context encryptionwhich is active at this point.

FIG. 5 illustrates an example embodiment of early encryption inaccordance with principles of the invention. The embodiment of FIG. 5resembles that of FIG. 4 in that an early encryption key is used. Phases510 and 520 correspond to phases 410 and 420 of FIG. 4, respectively.

Phase 530 comprises a message transmitted from UE 110 to base station120, the message comprising an indication that information intended foruse in base station 120 is available in UE 110. The message comprisingthe indication does not comprise the information itself. The informationmay be of the type that requires ciphering to transmit, while beinguseful to base station 120 already before context encryption is active.The message of phase 530 may be a RRC connection setup complete message,for example, but in various embodiments the message may go underdifferent names. The message of phase 530 is transmitted before contextencryption is yet active between UE 110 and base station 120.

Responsive to the indication of phase 530, base station 120 may requestthe indicated information to be provided from UE 110 to base station120. Such a request is illustrated in FIG. 5 as phase 532. For example,the information may comprise secondary cell measurement information, ora desired secondary cell configuration. Phases 540 and 532 may takeplace at more or less the same time, or one before or after the other.As the information will be provided from UE 110 using early encryption,where base station 120 requests for the information, base station 120also requests for the early encryption key from node 130. Suchrequesting may be comprised in phase 540.

The information, in encrypted form, may be encrypted using the earlyencryption key. The early encryption key may be generated, for examplein connection with an initial attachment of UE 110 with the network. Theearly encryption key may be generated using a Diffie-Hellman exchange,for example. The use of the early encryption key provides the earlyencryption in embodiments in accordance with FIG. 5

In phase 540, base station 120 communicates with node 130 in connectionwith the connection establishment procedure. In phase 540, base station120 requests the early encryption key to be provided to base station120. Node 130 retrieves, generates or re-generates the early encryptionkey in phase 550, and provides it to base station 120 in phase 560.Further, in phase 560 node 130 may instruct base station 120 concerningthe connection establishment, for example by providing an encryption keyfor use in the context encryption. In other words, phase 560 maycomprise node 130 providing two encryption keys to base station 120,namely the key for context encryption and the key for early encryption.

UE 110 may provide the information, in encrypted form, to base station120 in phase 535, as a response to the requesting of phase 532. Basestation 120 may use the early encryption key to decrypt, in phase 570,the information provided by UE 110 in phase 535, to thereby obtain theinformation in unencrypted form.

Once in receipt of the information provided in phase 535, in unencryptedform, base station may apply the information that was provided under theearly encryption in phase 535. Phase 580 comprises transmission of asecurity command from base station 120 to UE 110, the security commandbeing described herein above. Phases 590 to 5120 are provided astechnological context and are described in light of an LTE system,however in different communication technologies these phases may proceedin differing manners. In detail, phase 590 may comprise a connectionreconfiguration, which may comprise an addition of a secondary cell inaccordance with the information communicated to base station 120 usingthe early encryption. Phase 5100 may comprise a security commandresponse, for example a security mode complete message, and phase 5110may comprise a connection reconfiguration complete message, responsiveto completion of a reconfiguration instructed in phase 590. Phase 5120may comprise an initial context setup response, in response to messagingof phase 560, for example. In general, base station 120 may beconfigured to reconfigure a connection with UE 110, using theinformation provided under the early encryption, for example before thecontext encryption is active.

Phase 5130 comprises communication of data between UE 110 and thenetwork, the information being secured using the context encryptionwhich is active at this point.

An advantage of FIG. 4 and FIG. 5 embodiments is that the information,which is sensitive enough to require encryption, is not communicatedbetween the base station and node 130. An advantage of the FIG. 5embodiment is that the message of phase 530 does not increase in size,as the information is not automatically included therein, and basestation 120 is merely enabled to request the information if it is usefulin the prevailing circumstances. The described security scheme may beuseful also with suspend/resume, namely, when the UE connection isresumed, all secondary cells, including the entirety of the secondarycell group, SCG, are released. Hence, when the UE requests a resumptionof a previously suspended connection, it may indicate that it mayutilize also carrier aggregation in accordance with a new primary cellconfiguration, which may benefit from the present invention. Thedescribed security mechanism may also be usable with 5G or othercellular technologies with idle-to-connected transitions where securityneeds to be activated prior to UE sending any measurement information toeNB.

FIG. 6 is a flow graph of a method in accordance with at least someembodiments of the present invention. The phases of the illustratedmethod may be performed in base station 120, for example, or in acontrol device configured to control the functioning thereof, whenimplanted therein.

Phase 610 comprises storing information in an apparatus. Phase 620comprises receiving the information, in encrypted form using a secondencryption scheme, from a user equipment, in the apparatus, beforeactivation of a first encryption scheme. Phase 630 comprises obtainingan unencrypted form of the information. Finally, phase 640 comprisesusing the unencrypted form of the information to provide service to theuser equipment before or after the first encryption scheme is activated.

FIG. 7 is a flow graph of a method in accordance with at least someembodiments of the present invention. The phases of the illustratedmethod may be performed in UE 110, for example, or in a control deviceconfigured to control the functioning thereof, when implanted therein.

Phase 710 comprises establishing information to be provided to a basestation device. Phase 720 comprises, before activation of a firstencryption scheme, causing transmission of the information, in a formencrypted using a second encryption scheme, to the base station device.Finally, phase 730 comprises beginning using the first encryption schemein communication between the apparatus and the base station device,after causing the transmission of the information.

Further example embodiments with example message names and contents areshown in FIGS. 8, 9 and 10. They are examples of embodiments in FIGS. 2,4 and 5, respectively. We propose to use a pre-defined encryption whensending UE-specific information to eNB, along with explicit or implicitindication to eNB of whether the key information or decrypted messageneeds to be retrieved via MME.

In particular, one possibility, illustrated in FIG. 8, would be to useexisting NAS encryption keys, negotiated at ATTACH time, also to encryptthe information sent by UE, in addition to a normal NAS message. Thenthe UE Information should be sent to MME, which would decrypt it andreturn the unciphered message to eNB before, during or after the normalcontext setup procedure.

Alternatively, FIGS. 9 and 10, the UE information could be encryptedusing a new temporary idle-to-connected, “ItoC” mode encryption schemesuch that the keys are negotiated between UE and MME at ATTACH time.Then, eNB would request the keys from MME when receiving UE Informationand there would not be need to send UE Information to MME and return itback to eNB.

Using NAS security for sending UE info intended for the eNB is depictedin FIG. 8. In the figure, SCell measurement results ordesired/indicated/requested SCell configuration (sCellInfo) is used asan example of possible UE info that is intended for eNB. A new NASmessage could be specified for this purpose, for example ‘NAS UE info toeNB’ message which would contain a container for the control infointended for eNB. In this embodiment, the new NAS message with thecontainer is sent over S1 to MME which would decipher the contents ofthe container and return the decrypted UE info to eNB as part of thenext S1 message, for example INITIAL CONTEXT SETUP REQUEST message.Alternatively, a new S1 messages could be defined for this purpose. Inthe figure, the new NAS message is sent over the air as part ofRRCConnectionSetupComplete message. Alternatively, a new RRC messagecould be defined. The advantage of this alternative is that no newsecurity keys are needed. The existing NAS keys would be reused.

FIGS. 9 and 10 illustrate alternatives where new, temporary, securitywould be defined between the UE and eNB. The new idle-to-connected“ItoC” key, or early encryption key, could be derived from K_(ASME) inUE and/or in MME and MME could provide the key to eNB when requested byeNB. eNB would request the ItoC key when it would receive encrypted UEinfo. ItoC key request could be added to some existing message(s) over51, for example INITIAL UE MESSAGE, or a new message could be createdfor it. And the new ItoC key, K_(ItoC), could be provided to eNB in someexisting message, such as, for example, INITIAL CONTEXT SETUP REQUESTwhere also K_(eNB) is provided, or a new message could be defined. eNBcould then decipher the UE info with a key derived from K_(ItoC). Theadvantage of these alternatives is that UE info is not sent to MME.

In FIG. 9, the UE information is provided withinRRCConnectionSetupComplete message.

FIG. 10 illustrates an alternative where the UE information is requestedby eNB, for example by UEInformationRequest message, and sent within,for example, UEInformationResponse message using the new ItoC earlyencryption. In this alternative UEInformationRequest andUEInformationResponse messages are sent before normal securityactivation, that is, before SecurityModeCommand, which is not allowed inprior versions of specifications. The request itself may be transmittedwithout ciphering since eNB does not, yet, have the new key.

An advantage of this alternative is that RRCConnectionSetupCompletemessage does not grow much, only growing by the indication of new UEinformation. Compared to legacy UE information transfer, the transfercould be started already before normal security activation by using thenew ItoC security.

The new ItoC security could be temporary and it would only be used untilnormal security between UE and eNB is activated.

To create the ItoC key, either a new NAS level procedure between UE andMME should be defined, similar to NAS security mode command, or for thispurpose a default integrity/ciphering algorithm could be defined and thekeys could be defined without negotiating between UE and MME and/or eNB.

The new, early, security mechanism could be used also with 5G or othercellular technologies with idle-to-connected transition where securityneeds to be activated prior to UE sending any measurement information toeNB.

It is to be understood that the embodiments of the invention disclosedare not limited to the particular structures, process steps, ormaterials disclosed herein, but are extended to equivalents thereof aswould be recognized by those ordinarily skilled in the relevant arts. Itshould also be understood that terminology employed herein is used forthe purpose of describing particular embodiments only and is notintended to be limiting.

Reference throughout this specification to one embodiment or anembodiment means that a particular feature, structure, or characteristicdescribed in connection with the embodiment is included in at least oneembodiment of the present invention. Thus, appearances of the phrases“in one embodiment” or “in an embodiment” in various places throughoutthis specification are not necessarily all referring to the sameembodiment. Where reference is made to a numerical value using a termsuch as, for example, about or substantially, the exact numerical valueis also disclosed.

As used herein, a plurality of items, structural elements, compositionalelements, and/or materials may be presented in a common list forconvenience. However, these lists should be construed as though eachmember of the list is individually identified as a separate and uniquemember. Thus, no individual member of such list should be construed as ade facto equivalent of any other member of the same list solely based ontheir presentation in a common group without indications to thecontrary. In addition, various embodiments and example of the presentinvention may be referred to herein along with alternatives for thevarious components thereof. It is understood that such embodiments,examples, and alternatives are not to be construed as de factoequivalents of one another, but are to be considered as separate andautonomous representations of the present invention.

Furthermore, the described features, structures, or characteristics maybe combined in any suitable manner in one or more embodiments. In thepreceding description, numerous specific details are provided, such asexamples of lengths, widths, shapes, etc., to provide a thoroughunderstanding of embodiments of the invention. One skilled in therelevant art will recognize, however, that the invention can bepracticed without one or more of the specific details, or with othermethods, components, materials, etc. In other instances, well-knownstructures, materials, or operations are not shown or described indetail to avoid obscuring aspects of the invention.

While the forgoing examples are illustrative of the principles of thepresent invention in one or more particular applications, it will beapparent to those of ordinary skill in the art that numerousmodifications in form, usage and details of implementation can be madewithout the exercise of inventive faculty, and without departing fromthe principles and concepts of the invention. Accordingly, it is notintended that the invention be limited, except as by the claims setforth below.

The verbs “to comprise” and “to include” are used in this document asopen limitations that neither exclude nor require the existence of alsoun-recited features. The features recited in depending claims aremutually freely combinable unless otherwise explicitly stated.Furthermore, it is to be understood that the use of “a” or “an”, thatis, a singular form, throughout this document does not exclude aplurality.

INDUSTRIAL APPLICABILITY

At least some embodiments of the present invention find industrialapplication in enhancing data security and/or reducing delays ininitiating connectivity.

ACRONYMS LIST

-   5G fifth generation-   LTE long term evolution-   MME mobility management entity-   NAS non access stratum-   RACH random access channel-   RRC radio resource control-   SCG secondary cell group-   UE user equipment-   WCDMA wideband code division multiple access-   WiMAX worldwide interoperability for microwave access-   WLAN wireless local area network

REFERENCE SIGNS LIST 110 UE (user equipment) 120 base station 130 node140 gateway 112 wireless link 123, 134, 141 connections 210-2120 phasesof the method of FIG. 2 300-370 structure of the device of FIG. 3410-4130 phases of the method of FIG. 4 510-5130 phases of the method ofFIG. 5 610-640 phases of the method of FIG. 6 710-730 phases of themethod of FIG. 7

The invention claimed is:
 1. A base station apparatus comprising: at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to receive information, in encrypted form using a second encryption scheme, directly from a user equipment, in the apparatus, before activation of a first encryption scheme, the first encryption scheme being a communication context encryption scheme; obtain an unencrypted form of the information; use the unencrypted form of the information to provide service to the user equipment before or after the first encryption scheme is activated; and process a triggering of the activation of the first encryption scheme during a connection establishment procedure; wherein the information comprises at least one of secondary cell measurement results and a secondary cell configuration requested by the user equipment.
 2. The base station apparatus according to claim 1, wherein the apparatus is further caused to obtain the unencrypted form of the information via a core network.
 3. The base station apparatus according to claim 1, wherein the apparatus is further caused to obtain the unencrypted form of the information at least partly by requesting an unencryption key from a core network.
 4. The base station apparatus according to claim 1, wherein the first encryption scheme comprises an access stratum AS encryption scheme.
 5. The base station apparatus according to claim 1, wherein the second encryption scheme comprises a non-access stratum, NAS, encryption scheme relating to the user equipment.
 6. The base station apparatus according to claim 1, wherein the apparatus is further caused to obtain the unencrypted form of the information by providing the encrypted form of the information to a mobility management entity, and by receiving the unencrypted form of the information from the mobility management entity.
 7. The base station apparatus according to claim 1, wherein the second encryption scheme comprises an encryption scheme pre-negotiated between the core network and the user equipment.
 8. The base station apparatus according to claim 1, wherein the apparatus is further caused to receive an encryption key from a core network, and to decrypt the information to thereby obtain the unencrypted form.
 9. The base station apparatus according to claim 1, wherein the at least one processing core is configured to cause transmission of a security command comprising an instruction to trigger activation of the first encryption scheme between the user equipment and a network.
 10. A user equipment apparatus comprising at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to: establish information to be provided to a base station device; before activation of a first encryption scheme, cause transmission of the information, in a form encrypted using a second encryption scheme, directly to the base station device, the first encryption scheme being a communication context encryption scheme; and begin, after causing the transmission of the information, use of the first encryption scheme in communication between the apparatus and the base station device; wherein the information comprises at least one of secondary cell measurement results and a desired secondary cell configuration.
 11. The user equipment apparatus according to claim 10, wherein the apparatus is further caused to begin using the first encryption scheme responsive to a security command communicated with the base station device, the security command including an instruction to activate the first encryption scheme.
 12. The user equipment apparatus according to claim 10, wherein the apparatus is further configured to cause the transmission of the information in connection with a connection establishment process.
 13. The user equipment apparatus according to claim 10, wherein the apparatus is further configured to cause the transmission of the information in a non-access stratum container.
 14. A method, comprising: establishing information to be provided from a user equipment to a base station device; before activation of a first encryption scheme, causing transmission of the information, in a form encrypted using a second encryption scheme, directly from the user equipment to the base station device, the first encryption scheme being a communication context encryption scheme; and beginning, after causing the transmission of the information, use of the first encryption scheme in communication between the user equipment and the base station device; wherein the information comprises at least one of secondary cell measurement results and a desired secondary cell configuration.
 15. The method according to claim 14, wherein use of the first encryption scheme is begun responsive to a security command communicated from the base station device to the user equipment, the security command including an instruction to activate the first encryption scheme.
 16. The method according to claim 14, wherein the information is caused to be transmitted in connection with a connection establishment process.
 17. The method according to claim 14, wherein the information is caused to be transmitted in a non-access stratum container. 